Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
We aim to improve product and software security with our new threat modeling playbook. We consider threat modeling as a foundational activity to improve your software assurance. We are convinced that a good threat modeling practice will measurably decrease security issues of delivered products.
As strong believers in open source, active OWASP collaborators and to increase our impact beyond our Toreon customers, we donate this threat modeling playbook to the community.
We hope you will use this playbook to improve your threat modeling practice. We also encourage you to provide feedback to our OWASP threat modeling community in order to make this playbook even better in our next release.
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
Using the OWASP Software Assurance Maturity Model (OpenSAMM) as a framework, this talk covers the major application security controls of a secure development lifecycle program as provided by OWASP. Featured OWASP open source material include: OWASP guidelines and tools such as ESAPI, ZAProxy, as well as educational resources.
Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance. Symantec analyzed PowerShell malware samples to find out how much of a danger they posed.
Further reading:
PowerShell threats surge: 95.4 percent of analyzed scripts were malicious (https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent-analyzed-scripts-were-malicious)
The increased use of PowerShell in attacks (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf)
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
Web applications pose significant risks for organizations. The selection of an appropriate scanning product or service can be challenging because every organization develops their web applications differently and decisions made by developers can cause wide swings in the value of different scanning technologies. To make a solid, informed decision, organizations need to create development team- and organization-specific benchmarks for the effectiveness of potential scanning technologies. This involves creating a comprehensive model of false positives, false negatives and other factors prior to mandating analysis technologies and making decisions about application risk management. This presentation provides a model for evaluating application analysis technologies, introduces an open source tool for benchmarking and comparing tool effectiveness, and outlines a process for making organization-specific decisions about analysis technology selection.
Symantec Ubiquity is an award-winning, next generation security technology that is built on community-based reputation for fighting evolving malware. A result of more than four years of development, Ubiquity enables Symantec to harness the anonymous software usage patterns of more than 100 million Symantec customer computers, and deliver protection against micro-distributed, mutating threats, that would otherwise completely evade traditional security solutions.
Presentation I just finished creating for Denim Group, my clients new vulnerability management platform launch.. we\'ve gotten over 10 articles so far and several analyst quotes!
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.
We aim to improve product and software security with our new threat modeling playbook. We consider threat modeling as a foundational activity to improve your software assurance. We are convinced that a good threat modeling practice will measurably decrease security issues of delivered products.
As strong believers in open source, active OWASP collaborators and to increase our impact beyond our Toreon customers, we donate this threat modeling playbook to the community.
We hope you will use this playbook to improve your threat modeling practice. We also encourage you to provide feedback to our OWASP threat modeling community in order to make this playbook even better in our next release.
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
Using the OWASP Software Assurance Maturity Model (OpenSAMM) as a framework, this talk covers the major application security controls of a secure development lifecycle program as provided by OWASP. Featured OWASP open source material include: OWASP guidelines and tools such as ESAPI, ZAProxy, as well as educational resources.
Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance. Symantec analyzed PowerShell malware samples to find out how much of a danger they posed.
Further reading:
PowerShell threats surge: 95.4 percent of analyzed scripts were malicious (https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent-analyzed-scripts-were-malicious)
The increased use of PowerShell in attacks (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf)
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
Web applications pose significant risks for organizations. The selection of an appropriate scanning product or service can be challenging because every organization develops their web applications differently and decisions made by developers can cause wide swings in the value of different scanning technologies. To make a solid, informed decision, organizations need to create development team- and organization-specific benchmarks for the effectiveness of potential scanning technologies. This involves creating a comprehensive model of false positives, false negatives and other factors prior to mandating analysis technologies and making decisions about application risk management. This presentation provides a model for evaluating application analysis technologies, introduces an open source tool for benchmarking and comparing tool effectiveness, and outlines a process for making organization-specific decisions about analysis technology selection.
Symantec Ubiquity is an award-winning, next generation security technology that is built on community-based reputation for fighting evolving malware. A result of more than four years of development, Ubiquity enables Symantec to harness the anonymous software usage patterns of more than 100 million Symantec customer computers, and deliver protection against micro-distributed, mutating threats, that would otherwise completely evade traditional security solutions.
Presentation I just finished creating for Denim Group, my clients new vulnerability management platform launch.. we\'ve gotten over 10 articles so far and several analyst quotes!
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.
At VMworld 2012, Symantec announced new solutions and technical integrations with VMware across its entire product portfolio to ensure higher levels of protection for virtualized environments. Together, Symantec and VMware enable SMBs and enterprises to use the benefits of virtualization without compromising protection.
Symantec announced new offerings to create a trusted ecosystem of applications and partners to help businesses accelerate the execution of their mobility initiatives. The offerings include two new programs – the App Center Ready Program for application developers and the Mobility Solution Specialization Program for channel partners – as well as a single mobile suite spanning device management, application management and mobile security.
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out.
Two different interactions are examined:
• How can knowledge of code make application scanning better?
• How can application scan results be mapped back to specific lines of code?
Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
Threat modeling is a valuable technique for identifying potential security issues in complex applications but many teams have been slow to adopt. This presentation looks at Threat Modeling from two perspectives – from that of a system builder trying to avoid introducing security defects into a new system and from that of a system tester trying to identify security issues in an existing system. The materials include discussion of where threat modeling is best done during the development lifecycle as well as the process of creating and refining a threat model.
Follow Dan Cornell on twitter - @danielcornell
Vulnerability Management In An Application Security World: AppSecDCDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
7 Ways to Stay 7 Years Ahead of the ThreatIBM Security
With breach reports becoming a weekly, if not daily, occurrence, organizations need proactive security to protect themselves and their customers against the loss of sensitive data. Hear from IBM X-Force research and product experts on 7 types of behavioral based protection layered into network and endpoint security that can help your organization stay ahead of the threat. Our protection is so successful, in fact, that our IPS customer were protected from exploits of the recently disclosed Shellshock vulnerability seven years ahead of the threat.
The disappearing network perimeter mean organizations can no longer rely on traditional methods to secure their networks, and must plan for porous access to corporate assets and intellectual property. Deploying a simple intrusion prevention solution that relies in pattern matching is insufficient to identify malicious actors who can evade traditional protection strategies. By focusing on blocking the behavior of malware, rather than pattern matching against specific exploits, organizations are better protected with techniques like protocol analysis detection, shellcode heuristics, application layer heuristics, malicious communication prevention, and exploit chain disruption.
View the full on-demand webcast: http://securityintelligence.com/events/8-ways-stay-5-years-ahead-threat/#.VYxgB_lVhBf
Application Security Program Management with Vulnerability ManagerDenim Group
Using free Java-based software, application security managers can now have increased visibility into and control of enterprise security programs as well as the data that can be used to support sophisticated conversations with their managers and executives. Denim Group's Vulnerability Manager works through a centralized system to allow security teams to import and consolidate application-level vulnerabilities, automatically generate virtual patches, monitor attack attempts, communicate with defect tracking systems, and evaluate team maturity. Vulnerability Manager is a Java-based web application available for free under the Mozilla Public License.
This demonstration will cover the major functional areas of the Vulnerability Manager: • Application portfolio management – Creating a portfolio of application under management and tracking critical information about those applications such as associated technologies and sensitivity of data under management. • Vulnerability import and merging – Importing results of both static and dynamic scans of code, de-duplicating results and merging the output from multiple tools into a unified view of the security state of an application. • Automated virtual patch generation – Automatically creating IDS/IPS and WAF rules to provide real-time protection for certain classes of vulnerabilities as well as consuming log results from WAF/IDS/IPS in order to identify which vulnerabilities are under active attack. • Defect tracker integration – Bundling multiple vulnerabilities into packages, sending them to software defect tracking systems, and monitoring the defects to identify when software developers have closed them out. • Team maturity evaluation – Tracking interviews with development teams related to the security practices they have adopted based on maturity models such as OpenSAMM.
In addition, the presentation will explain the internals of the Vulnerability Manager software – the design decisions made as well as opportunities to extend the system to support additional technologies.
Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadarIBM Security
view on demand: https://securityintelligence.com/events/dont-drown-in-a-sea-of-cyberthreats/
Security teams can be overwhelmed by a sea of vulnerabilities–without the contextual data to help them focus their efforts on the weaknesses that are most likely to be exploited. Cyberthreats need to be stopped before they cause significant financial and reputational damages to an organization. You need a security system that can detect an attack, prioritize risks and respond within minutes to shut down an attack or vulnerability that could compromise your endpoints and data.
Join this webinar and learn how IBM BigFix seamlessly integrates with IBM QRadar to provide accelerated risk prioritization and incident response to mitigate potential attacks giving you an integrated threat protection system to keep your corporate and customer data secure.
Symantec executes on its promise to offer innovative and comprehensive solutions to meet the many increasing security and performance needs for connected businesses. The company announces new offerings to its Website Security Solutions portfolio, featuring the first available multi-algorithm SSL certificates with additional ECC and DSA options. These offerings will help organizations build and protect their web ecosystems and strengthen the foundation of trust online. The WSS strategy focuses on protecting companies, meeting compliance requirements, improving performance and reducing infrastructure costs. The end result is to deliver trusted shopping, trusted advertising and trusted applications for businesses and their consumer customers.
IBM Smarter Business 2012 - IBM Security: Threat landscapeIBM Sverige
IBM Security Systems presents the latest risks and trends from X-Force 2011 Full Year report, and how you can protect your infrastructure from these new evolving threats using Security Intelligence from Q1 Labs and IBM's recently announced Advanced Threat Protection Platform.
Talare: Mikael Andersson, Client Technical Professional, IBM
Besök http://smarterbusiness.se för mer information.
The Web AppSec How-To: The Defender's ToolboxCheckmarx
Web application security has made headline news in the past few years. In this article, we review the various Web application security tools and highlight important decision factors to help you choose the application security technology best suited for your environment.
At VMworld 2012, Symantec announced new solutions and technical integrations with VMware across its entire product portfolio to ensure higher levels of protection for virtualized environments. Together, Symantec and VMware enable SMBs and enterprises to use the benefits of virtualization without compromising protection.
Symantec announced new offerings to create a trusted ecosystem of applications and partners to help businesses accelerate the execution of their mobility initiatives. The offerings include two new programs – the App Center Ready Program for application developers and the Mobility Solution Specialization Program for channel partners – as well as a single mobile suite spanning device management, application management and mobile security.
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out.
Two different interactions are examined:
• How can knowledge of code make application scanning better?
• How can application scan results be mapped back to specific lines of code?
Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
Threat modeling is a valuable technique for identifying potential security issues in complex applications but many teams have been slow to adopt. This presentation looks at Threat Modeling from two perspectives – from that of a system builder trying to avoid introducing security defects into a new system and from that of a system tester trying to identify security issues in an existing system. The materials include discussion of where threat modeling is best done during the development lifecycle as well as the process of creating and refining a threat model.
Follow Dan Cornell on twitter - @danielcornell
Vulnerability Management In An Application Security World: AppSecDCDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
7 Ways to Stay 7 Years Ahead of the ThreatIBM Security
With breach reports becoming a weekly, if not daily, occurrence, organizations need proactive security to protect themselves and their customers against the loss of sensitive data. Hear from IBM X-Force research and product experts on 7 types of behavioral based protection layered into network and endpoint security that can help your organization stay ahead of the threat. Our protection is so successful, in fact, that our IPS customer were protected from exploits of the recently disclosed Shellshock vulnerability seven years ahead of the threat.
The disappearing network perimeter mean organizations can no longer rely on traditional methods to secure their networks, and must plan for porous access to corporate assets and intellectual property. Deploying a simple intrusion prevention solution that relies in pattern matching is insufficient to identify malicious actors who can evade traditional protection strategies. By focusing on blocking the behavior of malware, rather than pattern matching against specific exploits, organizations are better protected with techniques like protocol analysis detection, shellcode heuristics, application layer heuristics, malicious communication prevention, and exploit chain disruption.
View the full on-demand webcast: http://securityintelligence.com/events/8-ways-stay-5-years-ahead-threat/#.VYxgB_lVhBf
Application Security Program Management with Vulnerability ManagerDenim Group
Using free Java-based software, application security managers can now have increased visibility into and control of enterprise security programs as well as the data that can be used to support sophisticated conversations with their managers and executives. Denim Group's Vulnerability Manager works through a centralized system to allow security teams to import and consolidate application-level vulnerabilities, automatically generate virtual patches, monitor attack attempts, communicate with defect tracking systems, and evaluate team maturity. Vulnerability Manager is a Java-based web application available for free under the Mozilla Public License.
This demonstration will cover the major functional areas of the Vulnerability Manager: • Application portfolio management – Creating a portfolio of application under management and tracking critical information about those applications such as associated technologies and sensitivity of data under management. • Vulnerability import and merging – Importing results of both static and dynamic scans of code, de-duplicating results and merging the output from multiple tools into a unified view of the security state of an application. • Automated virtual patch generation – Automatically creating IDS/IPS and WAF rules to provide real-time protection for certain classes of vulnerabilities as well as consuming log results from WAF/IDS/IPS in order to identify which vulnerabilities are under active attack. • Defect tracker integration – Bundling multiple vulnerabilities into packages, sending them to software defect tracking systems, and monitoring the defects to identify when software developers have closed them out. • Team maturity evaluation – Tracking interviews with development teams related to the security practices they have adopted based on maturity models such as OpenSAMM.
In addition, the presentation will explain the internals of the Vulnerability Manager software – the design decisions made as well as opportunities to extend the system to support additional technologies.
Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadarIBM Security
view on demand: https://securityintelligence.com/events/dont-drown-in-a-sea-of-cyberthreats/
Security teams can be overwhelmed by a sea of vulnerabilities–without the contextual data to help them focus their efforts on the weaknesses that are most likely to be exploited. Cyberthreats need to be stopped before they cause significant financial and reputational damages to an organization. You need a security system that can detect an attack, prioritize risks and respond within minutes to shut down an attack or vulnerability that could compromise your endpoints and data.
Join this webinar and learn how IBM BigFix seamlessly integrates with IBM QRadar to provide accelerated risk prioritization and incident response to mitigate potential attacks giving you an integrated threat protection system to keep your corporate and customer data secure.
Symantec executes on its promise to offer innovative and comprehensive solutions to meet the many increasing security and performance needs for connected businesses. The company announces new offerings to its Website Security Solutions portfolio, featuring the first available multi-algorithm SSL certificates with additional ECC and DSA options. These offerings will help organizations build and protect their web ecosystems and strengthen the foundation of trust online. The WSS strategy focuses on protecting companies, meeting compliance requirements, improving performance and reducing infrastructure costs. The end result is to deliver trusted shopping, trusted advertising and trusted applications for businesses and their consumer customers.
IBM Smarter Business 2012 - IBM Security: Threat landscapeIBM Sverige
IBM Security Systems presents the latest risks and trends from X-Force 2011 Full Year report, and how you can protect your infrastructure from these new evolving threats using Security Intelligence from Q1 Labs and IBM's recently announced Advanced Threat Protection Platform.
Talare: Mikael Andersson, Client Technical Professional, IBM
Besök http://smarterbusiness.se för mer information.
The Web AppSec How-To: The Defender's ToolboxCheckmarx
Web application security has made headline news in the past few years. In this article, we review the various Web application security tools and highlight important decision factors to help you choose the application security technology best suited for your environment.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
The OWASP Top 10 List was recently updated for 2013, and many developers still do not know what it is or why they should care. It is a list of the top web security threats developers need to address to produce secure websites. Most developers aren't security experts, so the OWASP Top 10 Project has created resources designed for developers to quickly test their applications. Come hear about the list, why and how you can use it to make your job easier, and learn about resources you can use to quickly determine if your applications are addressing security threats properly.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
3. Sebastien Deleersnyder?
– 5 years developer experience
– 15+ years information security
experience
– Consultant & managing partner
Toreon
– Belgian OWASP chapter founder
– OWASP volunteer
– www.owasp.org
– Co-organizer www.BruCON.org
4. OWASP World
OWASP is a worldwide free and
open community focused on
improving the security of
application software.
Our mission is to make
application security visible so
that people and organizations
can make informed decisions
about application security risks.
Everyone is free to participate in
OWASP and all of our materials
are available under a free and
open software license.
The OWASP Foundation is a
501c3 not-for-profit charitable
organization that ensures the
ongoing availability and support
for our work.
7. Web Application Security Problem
• 75% of attacks are aimed straight at the application layer (GARTNER)
• 92% are application vulnerabilities instead of network vulnerabilities (NIST)
• Recent examples (2011-2012):
Citibank breached using
simple URL manipulation.
200,000 customer accounts
compromised.
Rabobank knocked offline
by DDOS attack
Caused outage of Dutch
central payment system
Elantis held to ransom over hacked
customer data Target Shares Tumble As Retailer
Reveals Cost Of Data Breach
(148M $) – 70 M customer data
leaked
9. |9
e-Crime Inc
• Online Extortion
• Phishing
• Denial of Service
• Credit Card Stealing
• Bot Infection
• Bot-net pharming
• Sell phishing tools
• ...
See the Web Hacking Incidents Database on
http://www.webappsec.org/projects/whid/
10. |10
State actors
• Track users
• Drive-by downloads
• Social engineering
• Tapping Telcos
• Hacking Telcos (BICS)
• Crypto backdoors
• Industrial espionage
"Electronic devices are increasingly embedded in everything from
vehicles to guided missiles, and are often integrated into systems
which are difficult and costly to update or upgrade as new threats
or vulnerabilities are identified with increasing speed and widely
ranging tempo," he explained. "These factors represent
malefactors impacting our warfighting systems.“ …
Army.mil/News - Lt. Gen. Edward C. Cardon
11. |11
Myth
Myth: we are secure because we have a firewall
75% of Internet Vulnerabilities are at Web
Application Layer *
*Gartner Group (2002 report)
14. |14
• Myth 2 - we are secure because we use SSL
– only secures data in transit
– does not solve vulnerabilities on:
• Web server
• Browser
Myth
15. |15
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Developed
Application Code
APPLICATION
ATTACK
You can’t use network layer protection (firewall, SSL, IDS,
hardening) to stop or detect application layer attacks
NetworkLayerApplicationLayer
Your security “perimeter” has huge
holes at the application layer
16. |16
Trends
• Business demands more bells and whistles
• Internal applications get ‘web-enabled’ and
are exposed to Intranet or Internet
• Increasing complexity of software
• Rush software out without adequate testing
• Poor security training and awareness
20. OWASP Top 10 Risk Rating Methodology
Threat
Agent
Attack
Vector
Weakness Prevalence
Weakness
Detectability
Technical Impact Business Impact
?
Easy Widespread Easy Severe
?Average Common Average Moderate
Difficult Uncommon Difficult Minor
2 1 1 2
1.3 * 2
2.6 weighted risk rating
XSS Example
1
2
3
21. A1 – Injection
•Tricking an application into including unintended commands in the data sent to an
interpreter
Injection means…
•Take strings and interpret them as commands
•SQL, OS Shell, LDAP, XPath, Hibernate, etc…
Interpreters…
•Many applications still susceptible (really don’t know why)
•Even though it’s usually very simple to avoid
SQL injection is still quite common
•Usually severe. Entire database can usually be read or modified
•May also allow full database schema, or account access, or even OS level access
Typical Impact
22. example : SQL-injection attack
Select user_information
from user_table
where username=’input username’ and
password=’input password’
Web Server Application Server
User Database
User
https
Select user_information
from user_table
where username=’’ or 1=1 -- ‘ and
password=’abc’
DEMO
23. Go shopping …
• … A federal grand jury on Monday
indicted Albert Gonzalez and two
unidentified Russian accomplices on
charges related to data intrusions at
Heartland, Hannaford Bros., 7-Eleven and
three other retailers. Gonzalez is alleged
to have masterminded an international
operation that stole a staggering 130
million credit and debit card numbers
from those companies.
• … Court documents filed in connection
with Monday's indictment spelled out
how Gonzalez and his accomplices used
SQL injection attacks to break into
Heartland's systems and those of the
other companies.
http://www.computerworld.com/article/2527185/security0/sql-injection-attacks-led-to-heartland--hannaford-breaches.html
24. A2 – Broken Authentication and Session Management
•Means credentials have to go with every request
•Should use SSL for everything requiring authentication
HTTP is a “stateless” protocol
•SESSION ID used to track state since HTTP doesn’t
•and it is just as good as credentials to an attacker
•SESSION ID is typically exposed on the network, in browser, in logs, …
Session management flaws
•Change my password, remember my password, forgot my password, secret question,
logout, email address, etc…
Beware the side-doors
•User accounts compromised or user sessions hijacked
Typical Impact
26. A3 – Cross-Site Scripting (XSS)
•Raw data from attacker is sent to an innocent user’s browser
Occurs any time…
•Stored in database
•Reflected from web input (form field, hidden field, URL, etc…)
•Sent directly into rich JavaScript client
Raw data…
•Try this in your browser – javascript:alert(document.cookie)
Virtually every web application has this problem
•Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware
site
•Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on
vulnerable site and force user to other sites
Typical Impact
27. XSS Definition
• XSS = Cross-site Scripting
• Web application vulnerability
• Injection of code into web pages viewed by others
28. Cross-Site Scripting (XSS)
Example:
User input is retrieved from the “name” parameter
http://myserver.com/XSS.jsp?name=Pieter
Result (HTML returned to the browser):
...
<h1>Hello Pieter</h1>
...
Input is embedded inside the HTML response:
..
Out.print(“<h1>”+request.getParameter(“name”)+”</h1>”);
..
29. Cross-Site Scripting (XSS)
Abused by the attacker:
Attacker inserts javascript code at the “username” parameter
http://myserver.com/XSS.jsp?name=<script>code</script>
Result (HTML returned to the browser):
...
<h1>Hello <script>code</script></h1>
...
Input is embedded inside the HTML response:
..
Out.print(“<h1>”+request.getParameter(“name”)+”</h1>”);
..
DEMO
32. A4 – Insecure Direct Object References
• This is part of enforcing proper “Authorization”, along with
A7 – Failure to Restrict URL Access
How do you protect access to your data?
• Only listing the ‘authorized’ objects for the current user, or
• Hiding the object references in hidden fields
• … and then not enforcing these restrictions on the server side
• This is called presentation layer access control, and doesn’t work
• Attacker simply tampers with parameter value
A common mistake …
• Users are able to access unauthorized files or data
Typical Impact
33. Insecure Direct Object References Illustrated
• Attacker notices his
acct parameter is
6065
?acct=6065
• He modifies it to a
nearby number
?acct=6066
• Attacker views the
victim’s account
information
https://www.onlinebank.com/user?acct=6065
34. A5 – Security Misconfiguration
•All through the network and platform
•Don’t forget the development environment
Web applications rely on a secure foundation
•Think of all the places your source code goes
•Security should not require secret source code
Is your source code a secret?
•All credentials should change in production
Configuration Management must extend to all parts of the application
•Install backdoor through missing network or server patch
•XSS flaw exploits due to missing application framework patches
•Unauthorized access to default accounts, application functionality or data, or unused but
accessible functionality due to poor server configuration
Typical Impact
35. Hardened OS
Web Server
App Server
Framework
Security Misconfiguration Illustrated
App Configuration
Custom Code
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
Test Servers
QA Servers
Source Control
Development
Database
Insider
36. Serving up malware
A quick Google Safe Browsing search of TechCrunch Europe's site shows suspicious activity twice over the last 90 days.
"Of the 128 pages we tested on the site over the past 90 days,
58 page(s) resulted in malicious software being downloaded and installed without user consent.”
(sep 2010)
Reason: unpatched WordPress
37. A6 – Sensitive Data Exposure
•Failure to identify all sensitive data
•Failure to identify all the places that this sensitive data gets stored
•Databases, files, directories, log files, backups, etc.
•Failure to identify all the places that this sensitive data is sent
•On the web, to backend databases, to business partners, internal communications
•Failure to properly protect this data in every location
Storing and transmitting sensitive data insecurely
•Attackers access or modify confidential or private information
•e.g, credit cards, health care records, financial data (yours or your customers)
•Attackers extract secrets to use in additional attacks
•Company embarrassment, customer dissatisfaction, and loss of trust
•Expense of cleaning up the incident, such as forensics, sending apology letters,
reissuing thousands of credit cards, providing identity theft insurance
•Business gets sued and/or fined
Typical Impact
38. Insecure Cryptographic Storage Illustrated
Custom Code
Accounts
Finance
Administration
Transactions
Communication
Knowledge
Mgmt
E-Commerce
Bus.Functions
1
Victim enters credit card
number in form
2Error handler logs CC details
because merchant gateway
is unavailable
4 Malicious insider
steals 4 million credit
card numbers
Log files
3Logs are accessible to all
members of IT staff for
debugging purposes
41. A7 – Missing Function Level Access Control
• This is part of enforcing proper “authorization”, along with
A4 – Insecure Direct Object References
How do you protect access to URLs (pages)?
• Displaying only authorized links and menu choices
• This is called presentation layer access control, and doesn’t work
• Attacker simply forges direct access to ‘unauthorized’ pages
A common mistake …
• Attackers invoke functions and services they’re not authorized for
• Access other user’s accounts and data
• Perform privileged actions
Typical Impact
42. Failure to Restrict URL Access Illustrated
• Attacker notices the
URL indicates his role
/user/getAccounts
• He modifies it to
another directory
(role)
/admin/getAccounts, or
/manager/getAccounts
• Attacker views more
accounts than just
their own
https://www.onlinebank.com/user/getAccountshttps://www.onlinebank.com/user/getAccounts
43. A8 – Cross Site Request Forgery (CSRF)
• An attack where the victim’s browser is tricked into issuing a command to a
vulnerable web application
• Vulnerability is caused by browsers automatically including user authentication data
(session ID, IP address, Windows domain credentials, …) with each request
Cross Site Request Forgery
• What if a hacker could steer your mouse and get you to click on links in your online
banking application?
• What could they make you do?
Imagine…
• Initiate transactions (transfer funds, logout user, close account)
• Access sensitive data
• Change account details
Typical Impact
47. A9 – Using Known Vulnerable Components
47
• Some vulnerable components (e.g., framework libraries) can be identified
and exploited with automated tools
• This expands the threat agent pool beyond targeted attackers to include
chaotic actors
Vulnerable Components Are Common
• Virtually every application has these issues because most development teams don’t
focus on ensuring their components/libraries are up to date
• In many cases, the developers don’t even know all the components they are using,
never mind their versions. Component dependencies make things even worse
Widespread
• Full range of weaknesses is possible, including injection, broken access control, XSS ...
• The impact could range from minimal to complete host takeover and data
compromise
Typical Impact
49. Automation Example for Java – Use
Maven ‘Versions’ Plugin
Output from the Maven Versions Plugin – Automated Analysis of Libraries’ Status
against Central repository
Most out of Date! Details Developer Needs
This can automatically be run EVERY TIME software is built!! 49
50. A10 – Unvalidated Redirects and Forwards
• And frequently include user supplied parameters in the destination URL
• If they aren’t validated, attacker can send victim to a site of their choice
Web application redirects are very common
• They internally send the request to a new page in the same application
• Sometimes parameters define the target page
• If not validated, attacker may be able to use unvalidated forward to bypass
authentication or authorization checks
Forwards (aka Transfer in .NET) are common too
• Redirect victim to phishing or malware site
• Attacker’s request is forwarded past security checks, allowing unauthorized
function or data access
Typical Impact
51. Unvalidated Redirect Illustrated
3
2
Attacker sends attack to victim via email or webpage
From: Internal Revenue Service
Subject: Your Unclaimed Tax Refund
Our records show you have an unclaimed
federal tax refund. Please click here to initiate
your claim.
1 Application redirects
victim to attacker’s site
Request sent to vulnerable site,
including attacker’s destination site
as parameter. Redirect sends victim
to attacker site
Custom Code
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
4 Evil site installs malware on
victim, or phish’s for private
information
Victim clicks link containing unvalidated parameter
Evil Site
http://www.irs.gov/taxrefund/claim.jsp?year=2006&
… &dest=www.evilsite.com
52. Jobs by CNN?
• http://ads.cnn.com/event.ng/Type=click&Redirect=http:/bit.ly/cP–XW
52
54. Mobile Threat Model
• Platforms vary with mileage
• Very different from traditional web app model due to
other use cases and usage patterns
• Must consider more than the ‘apps’
• Remote web services
• Platform integration (iCloud, C2DM)
• Device (in)security considerations
5
57. 5
Mobile top 10 risks
Only 1% of consumers feel safe using mobile payments
* http://www.net-security.org/secworld.php?id=17767
58. work in progress
• OWASP Mobile Security Project
• Roadmap:
– Threat Model
– Top 10 Mobile Risks
– Top 10 Mobile Controls
– Platform-Specific Guidance
– Training (goat droid)
– Cheat Sheets
– Security Testing Methodologies
59. Critical threats to cloud security:
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Issues
* The Notorious Nine 2013 - CSA
62. Internet of Things Top 10 - Complete IoT Review
• Review all aspects of Internet of Things
• Top Ten Categories
• Covers the entire device
• Without comprehensive coverage like
this it would be like getting your physical
but only checking one arm
• We must cover all surface area to get a
good assessment of overall security
64. “Build in” software assurance
64
Design Build Test Production
vulnerability
scanning -
WAF
security testing
dynamic test
tools
coding guidelines
code reviews
static test tools
security
requirements /
threat modeling
reactiveproactive
Secure Development Lifecycle
(SAMM)
65. We need a Maturity Model
An organization’s
behavior
changes slowly
over time
Changes must be
iterative while
working toward
long-term goals
There is no
single recipe that
works for all
organizations
A solution must
enable risk-based
choices tailored to
the organization
Guidance related
to security
activities must
be prescriptive
A solution must
provide enough
details for non-
security-people
Overall, must be
simple, well-
defined, and
measurable
OWASP Software
Assurance
Maturity Model
(SAMM)
66. SAMM Security Practices
• From each of the Business Functions, 3 Security Practices are defined
• The Security Practices cover all areas relevant to software security
assurance
• Each one is a ‘silo’ for improvement
66
67. Under each Security Practice
• Three successive Objectives under each Practice define how it can be
improved over time
• This establishes a notion of a Level at which an organization fulfills a given
Practice
• The three Levels for a Practice generally correspond to:
• (0: Implicit starting point with the Practice unfulfilled)
• 1: Initial understanding and ad hoc provision of the Practice
• 2: Increase efficiency and/or effectiveness of the Practice
• 3: Comprehensive mastery of the Practice at scale
70. Education & Guidance
Resources:
• OWASP Top 10
• OWASP Education
• WebGoat
Give a man a fish and you feed him for a day;
Teach a man to fish and you feed him for a lifetime.
Chinese proverb
70
71. Secure Coding Practices Quick Reference Guide
• Technology agnostic coding practices
• What to do, not how to do it
• Compact, but comprehensive checklist format
• Focuses on secure coding requirements, rather
then on vulnerabilities and exploits
• Includes a cross referenced glossary to get
developers and security folks talking the same
language
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
71
72. Code Review
Resources:
• OWASP Code Review Guide
SDL Integration:
• Multiple reviews defined as deliverables in your SDLC
• Structured, repeatable process with management support
• Reviews are exit criteria for the development and test phases
72
74. Code review tooling
Code review tools:
• OWASP LAPSE (Security scanner for Java EE
Applications)
• MS FxCop / CAT.NET (Code Analysis Tool for .NET)
• Agnitio (open source Manual source code review
support tool)
74
75. Security Testing
Resources:
• OWASP ASVS
• OWASP Testing Guide
SDL Integration:
• Integrate dynamic security testing as part of you
test cycles
• Derive test cases from the security requirements
that apply
• Check business logic soundness as well as
common vulnerabilities
• Review results with stakeholders prior to release
75
77. Web Application Firewalls
Network
Firewall
Web
Application
Firewall
Web
Server
Web client
(browser)
Malicious web traffic
Legitimate web traffic
Port 80
– ModSecurity: Worlds No 1 open source Web Application
Firewall
– www.modsecurity.org
• HTTP Traffic Logging
• Real-Time Monitoring and Attack Detection
• Attack Prevention and Just-in-time Patching
• Flexible Rule Engine
• Embedded Deployment (Apache, IIS7 and Nginx)
• Network-Based Deployment (reverse proxy)
– OWASP ModSecurity Core Rule Set Project, generic, plug-n-play
set of WAF rules
77
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
78. The OWASP Enterprise Security API
Custom Enterprise Web Application
Enterprise Security API
Authenticator
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
ExceptionHandling
Logger
IntrusionDetector
SecurityConfiguration
Existing Enterprise Security Services/Libraries
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
78
81. Goal
• Gap analysis
• Capturing scores from detailed assessments
versus expected performance levels
• Demonstrating improvement
• Capturing scores from before and after an
iteration of assurance program build-out
• Ongoing measurement
• Capturing scores over consistent time frames for
an assurance program that is already in place
82. Plan
• Roadmaps: to make the “building blocks” usable.
• Roadmaps templates for typical kinds of
organizations
• Independent Software Vendors
• Online Service Providers
• Financial Services Organizations
• Government Organizations
• Tune these to your own targets / speed
83. 150+ OWASP Projects
PROTECT
Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set
Project
Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding
Practices - Quick Reference Guide
DETECT
Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy
Docs: Application Security Verification Standard, Code Review Guide, Testing
Guide, Top Ten Project
LIFE CYCLE
SAMM, WebGoat, Legal Project
83
86. Hard Copy
• The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws -
Dafydd Stuttard
• Secure Programming with Static Analysis – Brian Chess, Jacob West
• The Art of Software Security Assessment – Mark Dowd, John McDonald , Justin Schuh
• The Security Development Lifecycle – Michael Howard
• Threat Modeling – Frank Swiderski, Window Snyder
• Securing Web Services with WS-Security – Rosenberg & Remy
• Core Security Patterns – Steel, Nagappan & Ray Lai
• Security Metrics – Andrew Jaquith
• Secure Programming with Static Analysis – Brian Chess, Jacob West
• The Art of Software Security Assessment – Mark Dowd, John McDonald , Justin Schuh
• The Security Development Lifecycle – Michael Howard
• Threat Modeling, designing for security – Adam Shostack
• Securing Web Services with WS-Security – Rosenberg & Remy
• Core Security Patterns – Steel, Nagappan & Ray Lai
• Security Metrics – Andrew Jaquith
|86
94. SAMM Roadmap
Friday – User Day
• Talks
• Training
• Topic roundtables
9
Saturday – Project Day
•Publish SAMM v1.1
•Workshops
•Road map
owasp.org/index.php/OWASP_SAMM_Summit_2015
95. Key notes:
• Troy Hunt
• Simon Bennets
• Frank Breedijk
• Joshua Corman
• Tobias Gondrom
• Jim Manico
• Steve Lord
• Matt Tesauro
96. Belgium Chapter
• Meetings
• Local Mailing List
• Presentations & Groups
• Open forum for discussion
• Meet fellow InfoSec professionals
• Create (Web)AppSec awareness
• Local projects?
http://www.owasp.org/index.php/Belgium
97. Get involved
• Use and donate (feed)back!
• Attend chapter meetings
• Contribute to projects
• Donate resources
• Sponsor chapters / projects
• Become Member